Vendor Risk Management Insights

One of the most common questions we’re asked is how to incorporate continuous monitoring into a third-party risk management program. In part one of this two-part blog, we discussed beginning with the end state in mind to establish goals for your continuous monitoring program and suggested you jumpstart your program with a pilot. So once the pilot is complete, now what?

Making Your Risk Management Software Work For You

The wheels are in motion. You’ve developed a reasonably good understanding of how to incorporate your new continuous risk assessment solution into your process, and have portfolio-level understanding of your vendor risks. Now, you want to take what you learned from the pilot and expand and mature your risk-adjusted vendor management model. And, you want to begin tracking suppliers and 4th parties that are currently unmanaged.

Your next step is to roll out the continuous risk assessment process and monitoring solution to your remaining managed vendors. Begin by engaging these vendors as their annual assessments occur, and establish thresholds in your monitoring program that alert you if a vendor deviates materially in between assessment periods. Over time, this historical monitoring information will help you establish a baseline of trust for each vendor. In addition, you should continue to add unmanaged suppliers and 4th parties to your continuous monitoring process.

Meanwhile, if you have not already done so, begin leveraging the objective, third-party data reports into your RFP process. You now have a rapid and actionable way to assess vendors during the proposal process (before they are contracted with) to help in the selection and to identify potential risks.

Your assessment provider’s continuous monitoring and alerting capabilities should be integrated into your incident response process so that you can easily identify material changes that occur in between the standard assessment process. And when ‘celebrity vulnerabilities’ emerge, leverage the capabilities of your continuous monitoring provider to identify the specific third parties and systems exposed to this new threat. You will likely need to partner with your security and vulnerability management peers who may own or assist with investigation and response.

Continuous Improvement is Essential in Vendor Risk Management

With the passage of time, you will accumulate historical data on all managed vendors. And with the help of your assessment provider, you should also accumulate risk assessments for your unmanaged vendors and fourth parties. These assessments give you the necessary information to prioritize, in terms of size and scope, the inherent risk and historical quality of each vendor’s security practices.

As our clients accumulate sufficient historical evidence, they typically find many ways to develop more productivity and control in their process.

Receiving actionable information allows each analyst to cover more vendors as they spend less time preparing for assessments and can quickly pinpoint where to focus their efforts.

Using historical risk and objective data already known about each vendor permits risk-adjusted frequency of the survey and attestation process.

Similarly, clients can tailor the number of steps and overall assessment scope with the information provided by their continuous monitoring program.

The journey from kick-off to full implementation of your continuous monitoring program typically takes place over a year or more. As a result of that implementation period, you will have a risk-adjusted program informed by verifiable and objective risk assessment information. You will also be able to leverage historical trending information, consistent scoring and actionable security alerts. This information and these capabilities will allow you to better scale your program, increase vendor coverage, and improve your control effectiveness.

We’d love to share more insights into how to successfully incorporate continuous monitoring into your risk management program. Give us a call today (781-784-2054).